683830 – Selinux avc for systemd-tty-ask during boot

Bug 683830 - Selinux avc for systemd-tty-ask during boot

Summary: Selinux avc for systemd-tty-ask during boot

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	15
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-03-10 13:11 UTC by Bruno Wolff III
Modified:	2011-03-19 05:53 UTC (History)
CC List:	8 users (show)
Fixed In Version:	selinux-policy-3.9.16-5.fc15
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2011-03-19 05:53:41 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Bruno Wolff III 2011-03-10 13:11:33 UTC

Description of problem:
I get the following avc during boot (shows up in dmesg):
[   47.478675] type=1400 audit(1299761552.099:5): avc:  denied  { connectto } for  pid=1069 comm="systemd-tty-ask" path=002F6F72672F667265656465736B746F702F706C796D6F75746864 scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket

It doesn't seem to block unlocking encrypted devices (though I am seeing random failures there still) as I see it both when unlocking succeeds and when it fails.

Version-Release number of selected component (if applicable):
systemd-20-1.fc15.i686

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2011-03-10 15:58:25 UTC

type=AVC msg=audit(03/10/2011 07:52:32.099:5) : avc:  denied  { connectto } for  pid=1069 comm=systemd-tty-ask path=/org/freedesktop/plymouthd scontext=system_u:system_r:systemd_passwd_agent_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket

Should we just allow this in SELinux?

Comment 2 Lennart Poettering 2011-03-11 23:50:46 UTC

Yes, please. This is systemd trying to get a password from plymouth to use to decrypt a device.

Comment 3 Daniel Walsh 2011-03-14 19:36:30 UTC

Fixed in selinux-policy-3.9.16-4.fc15

Comment 4 Fedora Update System 2011-03-17 15:28:19 UTC

selinux-policy-3.9.16-5.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/selinux-policy-3.9.16-5.fc15

Comment 5 Fedora Update System 2011-03-19 05:52:44 UTC

selinux-policy-3.9.16-5.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.